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(57) Abstract 

An encrypting exponentiation modulo M is effected 
by a modular multiplication X*YmodM, where M is a 
temporally steady but instance-wise non-uniform modulus. 
The method involves an iterative series of steps. Each step 
executes one or two first multiplications to produce a first 
result, and a trim-down reduction of the size of the first 
result by one or more second multiplications to produce a 
second result. The method furthermore takes a distinctive 
measure for keeping the final result of each step below a 
predetermined multiplicity of the modulus. In particular, 
the method postpones substantially any subtraction of the 
modulus as pertaining to the measure to a terminal phase 
of the modular exponentiation. This is possible through 
choosing in an appropriate manner one or more parameters 
figuring in the method. This further maintains overall 
temporal performance. 
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A method and device for executing a decrypting mechanism through calculating a 
standardized modular exponentiation for thwarting timing attacks. 



BACKGROUND OF THE INVENTION 

The invention reiates to a meihod according 10 the preamble of Claim i . 
Encrypting by executing a standardized modular exponentiation is used in the environment of 
a smart card and elsewhere, such as for supporting financial operations, through blocking 
5 opportunity for falsifying the control or contents of such operations. Encryption can be 

expressed as y= <x*> M , wherein x is a message, e is an encryption key, and M a modulus. 
Likewise, decryption is effected as D(y)= <y d > M , wherein d is the decryption key, and 
retrieving x from D is straightforward. For a particular device, the values of M and e are 
known and fixed, the content of x to be encrypted is naturally unknown and variable, and the 

10 value of d is fixed but unknown. For certain operations, such as the providing of an encoded 
signature, the first encoding also operates with a secret key along similar lines. For the 
present description, such encoding is also called "decrypting". Now, the decrypting is 
effected digit-wise. For each digit of D, one or two first multiplications X*Y mod M 
produce a first result. The attaining of such first result is followed by an addition. After 

15 attaining a second result, the next digit of D is processed. Prior technology has kept the size 
of the second result down by, in operation, subtracting an appropriate multiplicity (zero, one, 
or more) of the quantity M, because the register width of available hardware is adapted to 
the digit length, that is generally much less than the size of the overall quantities used in the 
multiplication. 

20 It has been found that the sequential pattern of the above multiplicity may 

depend on the values of X, Y, and M. Further, the use of temporal statistics on a great 
number of mutually unrelated decryption operations with arbitrary messages allows to derive 
a value for d. This renders the protection by the encryption illusory. Therefore, a need exists 
to mask these statistical variations by some additional affecting of the calculation procedure. 

25 

SUMMARY TO THE INVENTION 

In consequence, amongst other things, it is an object of the present 
invention to suppress the relation between the value of the decryption key and the temporal 
structure of the calculating steps, through a masking mechanism that does not appreciably 
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lengthen the calculations, nor would necessitate inordinate hardware facilities. Now 

therefore, according to one of its aspects, the invention is characterized by the characterizing 

part of Claim 1. In particular, the inventors have recognized that present day 

microcontrollers, even those that are used in the constraining environment of a smart card, 
5 can allow the use of longer storage registers than before, and in particular, a few bits longer 

than the digits used in the calculation. Such registers would provide the extra freedom that 

the present invention is in need of. 

Advantageously, the procedure executes the exponentiation along the 

Quisquater or Barrett prescriptions. These are methods commonly in use, and the amending 
10 of their prosecution for adhering to the invention is minimal. The pattern of the calculation 

procedure no longer depends on the decryption key. This takes away any method for so 

deciphering the value of the decrypting key. 

The invention also relates to a device arranged to implement the method 

of the invention. Further advantageous aspects of the invention are recited in dependent 
15 Claims. 

BRIEF DESCRIPTION OF THE DRAWING 

These and further aspects and advantages of the invention will be 
discussed more in detail hereinafter with reference to the disclosure of preferred 
20 embodiments, and in particular with reference to the appended Figures that show: 

Figure 1 , a hardware block diagram of the invention; 

Figure 2, a flow chart of the invention. 

DETAILED DISCLOSURE OF PREFERRED EMBODIMENTS 
25 The so-called "timing attack" follows the recognizing that for various 

implementations of the modular exponentiation, the computation times of successive 
encryptions will vary slightly from one message to another. With knowledge of the 
implementation, precise measuring of computation times for a large number of messages may 
lead to obtaining the secret key. Experiments have demonstrated that such is feasible indeed. 
30 To understand the nature of the attack and possible countermeasures, we give the main 
elements of the RSA encryption/decryption method and some common implementations. 

Messages are encoded by integers x in a range 0<x<M, for some fixed 
number M. For integers y, z, and N, y = z mod N indicates that N divides y-z. Also, <y> N 
denotes the remainder of y after division by N, that is the unique number r with 0<r <N 
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such that y=r+q.N for some integer q. If a is a real number, then L°J denotes the largest 
integer k<a (truncating). 

The RSA scheme is based on the difficulty to factor large numbers, as 
follows. Two communicating parties may agree on a number M, which typically is an 
5 (m=512)-bit number, and is the product M = p.q of two prime numbers p and q that are 
kept secret, and each have approximately m/2 bits. The parties also agree on a private key 
number d and a public key number e. The numbers M and e are made public, while the 
number d may be put into a tamper-resistant module of a smart card that is given to the user 
party. The private key d must remain unknown to the user. Instructions to change the 
10 account of the user are sent in encrypted form to the smart card which then uses the private 
key d to decrypt the instructions to amend the account. The smart card is considered 
"hacked" if a user obtains the private key d, and might so for instance instruct the card to 
increase the account. The numbers d and e must satisfy 

15 d.e = l mod lcm(p-l,q-l), 

where lcm(a,b) is the least common multiple of a and b, the smallest positive integer 
divisible by both a and b. Given a modulus N and an integer c for which gcd(c,N) = l, that 
is, with c and N relatively prime (without a common divisor), it is easy to compute a number 
20 c' such that c.c' = l mod N. To transfer a secret message x, 0<x<M, to a user, the 
number E(x)= <x e > M is sent instead. From an encoded message y, the card computes 
D(y)= <y d > M . Note that if y= <x e > M , then D(y) = (xfs X d - e sx mod M. This equality 
follows from the fact that /=y mod M holds for all y if and only if f=l mod lcm(p-l,q- 
1). 

25 

The security of the RSA scheme depends on the difficulty to -recover 
<x> M from <x e > M without knowing the private key d. For arbitrary x this problem 
appears as difficult as inverting e modulo lcm(p-l,q-l), i.e. finding d without knowing p 
and q, which is as difficult as factoring M. 

30 

Modular exponentiation 

The main operation in an RSA scheme is modular exponentiation, 
y-* x = <y*> M - Often, this operation is implemented as follows. Write 
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JD-1 

d = £ d& . 

i=0 



where ^£{0,1}, the binary representation of d. Put x (m) =l, and compute x <m ' n , x <m " 2 \ . . 
x (1 \ x (0) recursively as x°°= < <(x (k+I) ) 2 > M .y dk > M - (1) 

5 We now have x=x (0) . The original message x is computed from the 

received encrypted message y in m steps, each step consisting of a squaring modulo M 
followed by a multiplication modulo M if the corresponding key-bit is 1. From (1) we see 
that exponentiation is done through repeated modular multiplications, that is, the operation 
(x,y)-*z=<x.y> M . (2) 

10 

Most systems simplify this multiplication by grouping m bits of the 
number y into digits of b bits, wherein b may arbitrarily range from b = l to b=32. Thus, y 
is written as 

\n\b\-\ 

y = E 3> f 2 w , 

15 where 0<yj<2 b . Formula (2) is calculated recursively by putting z tn/1> j =0, and 

computing Z ln/bJ ,.. M Z(, successively by z f = < <x.y ) -> M +z i+l 2 b > M . (3) 

It is not attractive to implement the operation 
(x,y i H<x.y i > M (4) 
20 "as is", for the following reason. The number u=x.j r j is an (m-hb)-bit number. 

The number <u> M is obtained as r 



(u) M = u - 



u 



M 



. M. (5) 



This computation needs a multiplication and a division of u by the m-bit 
number M. However, normal division of large numbers is much more complex than 
25 multiplication. Therefore, various methods have replaced the direct implementation of (5) by 
implementations that use a few (typically, two or three) multiplications, possibly followed by 
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a few (typically, one or two) subtractions of M. 

Several methods use special representations for numbers modulo M. This 
needs converting from ordinary representation to special representation and back. The 
converting is done only once at the start and once at the end of a modular exponentiation. In 
5 between, many modular multiplications are computed, so the extra overhead is negligible. 
We will give two such methods in detail. 

The additional subtractions that sometimes must follow a modular 
multiplication make timing attacks feasible. In such attack, the smart card must decrypt a 
large number of messages, and a statistical analysis of the decryption times enables an 
10 attacker to recover the bits of the private key d. The invention adapts known methods for 
modular multiplication so that these extra subtractions are no longer needed. 

TWO METHODS FOR MODULAR MULTIPLICATION 

In the Quisquater method, all reduction is done modulo some multiple N 
15 of M, where the first p most significant bits of N are all equal to 1, that is, the modulus N is 
an n-bit number for which 

2 n -2°- p <N<2 n (7) 
At the end of the exponentiation modulo N, the result is reduced modulo 
M to get the desired answer. To compute a modular multiplication 
20 (x,y)-*z=<x.y> N , (8) 
the n-bit number y is partitioned into blocks of b<p-l bits and z is found recursively by 
multiplying x.yj similarly to (3). Expression (5) is replaced by the "Quisquater-reduction": 



Q(u) = u - 



u 



2 



n 



. N. (9) 



Remark 1: Note that Q(u)s <u> N mod N. Only, we cannot guarantee 
25 that Q(u) <N. For large u the number Q(u) can indeed be bigger than N. However, we can 
show that Q(u)<GN if u<2 p (6-l)N, so the Quisquater-reduction is "almost as good" as the 
required residue-operation. 

Now, the result z of the multiplication is computed recursively by putting 

=0 and 

30 z/ = Q{x.y t + zUl h (10) 
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Note that z*: = Zo s x.y mod N holds. We may show that for b<p-l and 

0<x<N, we have 0<Z* <3N for all i. So the result z= <x.y> N is obtained from z by 
subtracting N at most twice. We will prove this later. 



5 The Barrett method uses the given modulus M itself. The modular reduction <x> M of a 
number x is estimated by 



B(x) = x ~ 



R 



. M, 



(ID 



where 



R = 



.2n 



M 



10 and n is chosen such that b n l <M<b n . The product z=xy of two numbers x 

and y is calculated as follows: 

(i) Zo = xy; 

(ii) z = z 0 ' = B(z 0 ). 

We will prove that if 0<x,y<M, the result z obeys 0<z<3M, so that we need at most two 
15 extra reductions to obtain <xy> M . For b^3 the computation of B(z„) may be simplified. 
Let indeed 



u = 



R 



. M 



so that z=x-u. By the above remark, z<3M<b n+1 . From z^x-u mod b n+I , we conclude 
that 



20 



Z =<Z> h 



<x> b ».i - <u> b ».i, 



+ <x> b „.i - <u> b ».i 



if this expression is ^ 0 
otherwise. 
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20 



IMPROVEMENTS OF THE ALGORITHMS FOR MODULAR MULTIPLICATION 

Timing attacks are feasible because the modular multiplication may or 
may not require additional subtractions of the modulus. However, these additional reductions 
may be avoided: by a slight change of the original assumptions, we can work throughout the 
modular exponentiation with the unreduced results, and do any reduction only at the very end 
of the modular exponentiation. To show that this works, we will provide upper bounds on 
the intermediate results of our modular multiplications for each algorithm. 

For the modified Quisquater method we assume that we have a modulus 
M for which 2 m_1 <M<2 m . Now, we compute a number N=cM for which holds 2 n -2 n " 
p <N<2 n . This is always possible if n>m+p. Because the admissible interval for N is 2°" 
p >2 m >M, some multiple of M must fall within this interval. All intermediate computations 
are done modulo N, instead of modulo M, with a reduction modulo M at the very end. N is 
a multiple of M, so no information is lost. 

As before, to get the result z=xy of a modular multiplication of x and 



15 y= X^J J 1 y £ 2 bt , we use the following: 

(i) Z Ln/bJ = 0; 

(ii) For i=ln/ftj-l, •.,(), we compute 



(iii) z=z 0 \ 



z,=x.y,+ Z £ *i2* and Z* =Q(z>); 

We will need the following facts about this algorithm. 
Proposition 3.3. If 0<x<q;N and 2 p +a2 b <(2 p -2 b )G, then for all i 



(12). 



25 



Proof: If 0<x<aN, N^2 n -2 n " p ,0< yj<2 b , and 0<z i+1 <OM, then 
Zj < aN2 b + GN2 b = (a+ 0)N2 b , 



hence 



«?(z f ) - <z> N )IN = 



5l 
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= l + z i (2 n -N)/N2 1 



<l + (a+0)N2 b 2 n ' p /N2 n 
= l + (a+0)2 b - p <G. 



5 



Now Q(zr) = z = <Zi> N , hence the number (Q(Zj)- < z { > N )/N is an integer; since according 

to the above this number is < 0, we conclude that (Q(z i )-<z s > N )/N<0-l. Since also 

<Zj> N <N by definition, it follows that: z'=Q{z)<QN. 

Obviously, condition (12) can only be satisfied if p£b+ 1. Further, if 
10 p=b+l, then (12) is equivalent to the condition 0>a+2. So if then the number z 

resulting from the above algorithm always satisfies 0<z<3N, so that at most two further 

reductions are required, a result used hereabove. 

If all results of modular multiplications must be less than aN, we need 

0=a, and it is necessary and sufficient that 
15 p^b+2, 0 = a^2. 



additional reductions after each modular multiplication and still guarantee that all results are 
non-negative and ^2N. The result of the modular exponentiation is obtained by at most one 
reduction at the very end, plus a reduction z-*<z> M . 



Assume that modulus M obeys b nl <M<b n . To compute the result z=xy of a modular 



So, provided that p=b+2, during modular exponentiation we may forego 



20 



The Barrett method can be modified in a way similar to Quisquater's. 




we use the following. Define 



b k 



u 




1 M. 



0) ZU/rJ = 0 



25 (ii) For i= |_n/rj - 1 



0, we compute 



* 



WO 99/14880 



9 



PCT/1B98/01255 



and 



Zi' =B k .,(Zi); 



(iii) z=z„*. 

Proposition 3.4: If 0<x<aM, 0<Z,*i ;£BM, and 

5 k=n-l, l=r+l, 2+«+6<e, 

or 

k=n, l=r+l, a=B=0, 92:max (2b/(b-2),(l+b)b 2 /(b 2 -2)), 
or, for example, 

b=4, k=n-l, l=r+2, a=6=e, 0>3, 
10 or 

b=4, k=n-2, l=r+4, a=B0, 02:2, 
then 0 < zi < 0M. 

Proof: If 0<x<aM, b n, <M<b n , 0< yi < r , andO<Z f * +1 ^BM, then 
Zj < aMb r + BMb r =(a+ B)Mb r , 



15 hence 



(B( Zi ) - <z i > M )/M 



M 



M 



lb 1 



(13) 
(14) 
(15) 
(16) 



< 1 +2- ~ 
M 



.k+l 



M 



lb 1 



<! + il - ( iL -ik^I -1Mb 1 



M 



M 



= 1 + 



M b k+1 b l 



20 



* t (a+P)/M* r 

< 1 + — + — 

M 
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<1 + max(b kH,+1 + (a+0)b- l+, * l 1 + (a+0)b n+r ' k - 1 ). 
The last inequality follows from b nl <M<b n , and from the fact that the 

convex function a/M+bM, a^O becomes maximum when M is either minimal or maximal. 

An interesting result needs k+l<n+r. To limit the size of the necessary multiplication to 
5 compute B kl , k should be as large and k+1 as small as possible. Each additional condition 

(13), (14), (15), and (16) then implies this last expression to be at most equal to e. 

Now B(z i )sz i s <Zj> M mod M, hence (B(z i )-<z i > N )/N is an integer; 

since this number is less than O, it follows that (B(z i )-<z i > M )/M^G-l. Since also 

<Zj> M <M by definition, we conclude that z j *=B(z i )<6M. 
10 The above is used in several ways. One way takes r=n, k=n-l, and 

l = n+l. Then we compute z=B kJ (xy)=B(xy) in one step, so fl=0. Proposition 3.4 states 

that if x<M, then z<3M. This proves the earlier claim. 

Alternatively, b is taken small, typically b=4, and k = n, l=r+l, and 

a =fi=e. Since (1 + b)b 2 /(b 2 -2) £:2b/(b-2) for b>3, the result in Proposition 3.4 states that 
15 all intermediate results will be <6M if 0£(l + b)b 2 /(b 2 -2) and b>3, that is, <6M when 

b=4. Similarly, for b=4, if we let k=n-2, l=r+4, a=B=0=2, then all intermediate 

results will be <2M and if we let k=n-l, l=r+2, a=B=0=3, then all intermediate results 

will be <3M. Therefore, the modular exponentiation may forego additional reductions after 

each modular multiplication and still guarantee that all intermediate results are non-negative 
20 of size at most OM. Here 0 is a number between 2 to 6, depending on the choice for k and 

I. The final result is obtained via only a few reductions at the very end of the modular 

exponentiation. 

By itself, a well-known third method for implementing modular 
exponentiation is due to Montgomery. An improvement to this particular method has been 

25 disclosed in M. Shand & J. Vuillemin, Fast Implementation of RSA Cryptography in Proc. 
11th Symposion on Computer Arithmetic, IEEE 1993, p.252-259. In this reference, certain 
normalizing proposals to the Montgomery method are done to obviate the need for repeated 
normalizations after intermediate processing steps. The object of the reference was to 
increase the overall speed of the processing. The present invention on the other hand, has 

30 shown that timing attacks may be thwarted by initial operand conversions plus some minimal 
hardware facilities for non-Montgomery algorithms. Such timing attacks have not figured in 
the setting of the above citation. Furthermore, the Quisquater and Barrett methodologies have 
been herein disclosed expressly by way of non-limiting embodiments only. 
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Figure 1 is a hardware block diagram of a device according to the 
invention. The operand memory 20 is as shown based on the modular storage of 8-bit digits. 
Address sequencer 22 successively addresses the various digit locations for reading and 
writing, as the case may be. Processing element 24 and address sequencer 22 operate in 

5 mutual synchronism through interconnection 21. Processing element 24 has an input register 
26 for a first digit that may be received as read from memory 20. Furthermore, it has an 
input register 30 for a second digit through retrocoupling from its result register 28. The 
latter has an enlarged length with respect to the digit length. A selecting register 32 allows 
digit-based retrostorage into memory 20. The processing element may execute normalizing, 

10 preprocessing and postprocessing as described earlier, and further the standard modular 
multiplication of the Quisquater, Barrett, and similar non-Montgomery methods. The 
particular operations are governed through control register 30. 

Figure 2 is a flow chart of the invention. In block 50, the operation is 
started, which may need claiming of various hardware and software facilities. In block 52, 

15 the encrypted message is received. In block 54, the message is preprocessed in the manner 
described for any applicable algorithm. In block 56, one turn of the inner loop is executed, 
that calculates an intermediate result on the basis of two b-ary digits. In block 58, the system 
detects whether the inner loop in question has been executed a sufficient number of times 
(ready?). If no, the system reverts to block 56. If yes, the system proceeds to block 60 and 

20 executes one turn of the outer loop. Subsequently, in block 62, the system detects whether 
the outer inner loop in question has been executed a sufficient number of times (ready?). If 
no, the system reverts to block 56 for further executing the inner loop. If yes, the system 
proceeds to block 64 for postprocessing the final results, and subsequently to block 66 for 
outputting the result to a user, such as the central processing facility of the smart card in 

25 question. The combination of Figures 1, 2, in combination with the extensive further 
disclosure, is deemed to give the skilled are practitioner sufficient teachings as to how to 
implement the invention. 

SUMMARY OF THE METHODS 
30 Input: x, d, M, 0 < x, d, M < a". (Typically, a = 2). x is the encrypted message. 
Output: z" = <x d >ft. First, the standard methods are reviewed. 



a. Preprocessing 

Quisquater: x = x",n = n" + p, M = cM, where p is some integer and c is chosen such 
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12 

that a" - a"* < N < a". This produces a unique choice for c. Also, a = 2. 
Barrett: n = n, M = M, x = x. 

b. Partitioning of d 
5 Write d = d t R\ Typically, B = 2 and m =#bits of d. 



c. Outer loop 
z «- 1 

repeat for i = m - 1 -» 0: 
10 z *~ Mult(z, z; M) (if B = 2; in general z *- <z B > M .) 
z *- Mult(z, x M) (only needed if dj > 0). 
endrepeat 

d. Implementation of modular multiplication in operation Mult 

15 The implementation of z *- Mult(u, v; M) assumes 0 < u, v < M, and the result z satisfies 
0 < z < M. 

e. Partitioning 

Write v = v i**'> where B = a 5 for some integer b. In other words, the n ar-ary 

20 digits of v are grouped in n' blocks of b digits each. (So n = n'b.) 

Moreover, Quisquater assumes that b < p - 1; Barrett takes b = n, 

n' = 1. 



f. Inner Loop 
25 z - 0 

repeat for i: 

h *- z . F + u . v s 

z «- R(h) 

endrepeat 

30 while z > M do z z - M. (17) 
Here, we have the following. 
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1. 



i = n' - 1 — 0 in Quisquater and Barrett. 



F = {B=a" (Quisquater and Barrett) 



5 3. 



R(h) = 



Q(h):=h- 



.M, (Quisquater), 



h 



.n-l 



a 



In 



M 



.M, (Barrett) 



The Barrett reduction operation B used here is a special case of the general Barrett reduction 



10 



Bjjhy^h-] 



M 



M 



In Quisquater and Barrett: 0 < w < 3M in all steps. 



9. Postprocessing 
15 Here z satisfies 0 < z < M. 

Quisquater: ~z — <z>m. 
Barrett: "z *- z. 



RESUME OF CONDITIONS AND PROPERTIES IN "OLD" ALGORITHMS 

20 

Quisquater 
p ^ b + 1 

Barrett : - 

25 
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NEW METHODS 

a. Preprocessing 

As before, except that for Montgomery we now require more, e.g. that M 
< R/4. (Son=n + 2if a=2). 

5 

b. Partitioning of d 

As before. 

c. Outer loop 

10 As before, but the operation Mult is implemented slightly differently. 

d/e. Implementation of modular multiplication in operation Mult 
Partitioning 

As before, but for Quisquater we now require that b < p-2. 

15 

f . Inner Loop 

As before except that the last instruction "while z > Mdoz*-z-M" is 

removed. 

Also, for Barret, instead of taking b = n, n' = 1 we allow other values 
20 of b, and instead of the special case B = B n . ltn+I we now take B = B kJ for other values of k 
and 1. (For example k = n, I = b + 1, or we choose a = 4 and take e.g. k = n - 1, I = b 
+ 2 or k = n - 2, 1 = b + 4). 

g. Postprocessing 

25 Now we can only guarantee that 7 < 9 M for some 6, typically 0 = 2 

or 0 = 3. So in case of Barrett, the while statement (17) which was removed from the 
Loop-part of the operation Mult must now occur here: 
while z ^ M do z *- z - M. 

For Quisquater, this same operation is also required, but can possibly be combined with the 
30 other postprocessing (which does not change). 

RESUME OF CONDITIONS AND PROPERTIES IN "NEW" ALGORITHMS 
Quisquater 

p > b + 2 (instead of b + 1) 



WO 99/14880 PCTAB98/01255 
Barrett 

Various possible values for the numbers k,l of the Barrett reduction operator B k ,. A good 
condition may be found as follows. 

5 To compute x.y mod M by Barrett: 

Tf v = fv„v. ... v, . . .\ each v s < b r (b-arv digits) and given 0 < x < aM, 0 < z*^, < 

BM, we have (z* - <z, > M )/M = (B M - <z i > M )/M < 1 + max (b"-*' + (a + B) b ,,,+r - 
M , b k - n +(a+B)b n+r - k -') which we need to be < e. Certainly needed k+l>n+R 
Classical: R=n, k=n-l, l=n+l, then B=0, a=l - z < 3M (6=3). 
10 New: R < n, a = B = 6. The condition is 1 + max (b k - +1 + 26 B n l+rM , B kn + 
2eB n + r-k^ < e t0 have result < G M. 

Better condition: 



ie t b k 2QMb r ^ ft 
15 1 + — + < 8 

M b k+l 



for all allowable M. 



20 



r, , u , i 2* 2QM2 r „ ft 

Example b=2 - 1 + — + < 0 

M 2™ 



2 n "' < M < 2" - (2"-" + 26 2 n+r - k '\ 2 k - n+I + 26 2 n - I+r - k -*) < 6. 

Remark: In both algorithms, these new conditions translate in terms of hardware into the use 
of slightly larger registers to store various intermediate variables. 
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CLAIMS: 



1- A method for executing a decrypting modular exponentiation modulo M, 

by digit-wise calculating modular and looped multiplications X*Y mod M, according to a 
non-Montgomery procedure, with M a temporally steady but instance-wise non-uniform 
modulus, said method involving an iterative series of steps organized in an inner loop-out 
5 loop hierarchy wherein each step is associated to executing one or two first multiplications to 
produce a first result, and the hierarchy is associated to a trim-down reduction of the size of 
the first result by one or more second multiplications to produce a second result, 
said method furthermore taking a distinctive measure for keeping a final result of such step 
below a predetermined multiplicity of said modulus, 

10 said method being characterized by postponing substantially any 

subtraction of the modulus as pertaining to said measure to a terminal phase of the modular 
exponentiation, as being conditional to choosing in an appropriate manner one or more 
preprocessing parameters figuring in the method whilst maintaining overall temporal 
performance of the method, whereby intermediate results have a guaranteed upper bound. 

15 2. A method as claimed in Claim 1, for executing the exponentiation along 

the Quisquater prescription, whilst choosing the value of the integer p=n-n' not less than 
p>b+2. 

3. A method as claimed in Claim 1, for executing the exponentiation along 
the Barrett prescription, whilst choosing the value of the numbers k, 1, in a suitable manner 

20 according to: 1 + (b k /M) + (29Mb R /b (k+,) ) < 0. 

4. A device arranged for executing the method as claimed in Claim 1. 

5. A device as claimed in Claim 4, and having enhanced register width for 
therein storing intermediate results of the exponentiation. 



WO 99/14880 



PCT/IB98/01255 



1/2 



26 

1 



II i 
i i i 



l I I I 
j i i i 



30 

1 



III 

J I L 



24 



I I I I 
j i i i 



i i i i i i 



l 

28 



I I I) I I 



32 



rm 



20 



21- 



22 

1 



FIG.1 



J 



QMCrWin- /WO OQ1 dARHA? I > 



WO 99/14880 



2/2 



PCT/IB98/01255 




P0STPR0CESS 




t 


OUTPUT 


\ 


f 



-64 



-66 



( ^ > -* FIG. 2 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 : 
H04K 1/02, H04L 9/30 



A3 



(11) International Publication Number: WO 99A4880 

(43) International Publication Date: 25 March 1999 (25.03.99) 



(21) International Application Number: PCT/IB98/01255 

(22) Internationa! Filing Date: 17 August 1998 (17.08.98) 



(30) Priority Data: 

97202855.9 



1 6 September 1 997 ( 1 6.09.97) EP 



(71) Applicant: KONINKLUKE PHILIPS ELECTRONICS N.V. 
[NL/NL]; Groenewoudseweg 1, NL-5621 BA Eindhoven 
(NL). 

(71) Applicant (for SE only)'. PHILIPS AB [SE/SE]; Kottbygatan 7, 

Kista, S-I64 85 Stockholm (SE). 

(72) Inventors: HOLLMANN, Hendrik, Dirk, Lodewijk; Prof. 

Holstlaan 6, NL-5656 AA Eindhoven (NL). VAN DUK, 
Marten, Erik; Prof. Holstlaan 6, NL-5656 AA Eindhoven 
(NL). LENOIR, Pctrus, Johannes; Prof. Holstlaan 6, 
Nl^5656 AA Eindhoven (NL). 

(74) Agent: GROENENDAAL, Antonius, W., M.; Intemationaal 
Octrooibureau B.V., P.O. Box 220, NL-5600 AE Eindhoven 
(NL). 



(81) Designated States: JP, European patent (AT, BE, CH, CY, DE, 
DK, ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE). 



Published 

With international search report. 

Before the expiration of the time limit for amending the claims 
and to be republished in the event of the receipt of amendments. 

(88) Date of publication of the international search report: 

10 June 1999 (10.06.99) 



(54) Title: A METHOD AND DEVICE FOR EXECUTING A DECRYPTING MECHANISM THROUGH CALCULATING A 
STANDARDIZED MODULAR EXPONENTIATION FOR THWARTING TIMING ATTACKS 

(57) Abstract 

An encrypting exponentiation modulo M is effected 
by a modular multiplication X*YmodM, where M is a 
temporally steady but instance-wise non-uniform modulus. 
The method involves an iterative series of steps. Each step 
executes one or two first multiplications to produce a first 
result, and a trim-down reduction of the size of the first 
result by one or more second multiplications to produce a 
second result The method furthermore takes a distinctive 
measure for keeping the final result of each step below a 
predetermined multiplicity of the modulus. In particular, 
the method postpones substantially any subtraction of the 
modulus as pertaining to the measure to a terminal phase 
of the modular exponentiation. This is possible through 
choosing in an appropriate manner one or more parameters 
figuring in the method. This further maintains overall 
temporal performance. 




I 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Armenia 


FI 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


sz 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


Bj 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


1L 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


UZ 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


zw 


Zimbabwe 


a 


Cote d'lvoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






cu 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






cz 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


LI 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







INTERNATIONAL SEARCH REPORT 



International application No. 

PCT/IB 98/01255 



A. CLASSIFICATION OF SUBJECT MAT Hi R 


IPC6: H04K 1/02, H04L 9/30 

According to Internationa! Patent Classification (IPC) or lo both national classification and IPC 


H. FIfiLDS SEARCHED 


Minimum documentation searched (classification system followed by classification symbols) 




IPC6: H04K, H04L 






Documentation searched other than minimum documentation lo the extent that such documents are included in the fields searched 


SE,DK,FI ,NQ classes as above 






Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 


C DOCUMENTS CONSIDERED TO BE RELEVANT 


Category* 


Citation of document, with indication, where appropriate, of the relevant passages 


Relevant to claim No. 


A 


US 5166978 A (JEAN- JACQUES QUISQUATER) , 
24 November 1992 (24.11.92), abstract 


1-5 


A 


US 5479511 A (DAVID NACCACHE), 26 December 1995 
(26.12.95), abstract 


1-5 


A 


US 5604805 A (STEFANUS A. BRANDS), 

18 February 1997 (18.02.97), abstract 


1-5 


(~ | Further documents are listed in Utc continuation of Box (J. See patent family annex. 


* Special categories of cited documents: 

"A" document defining the gcncral^staic of the arlMvhich is not considered 

to be of particular relevance , 
*E" crlier document hut published on or after the intern ali<mal filing date 

"V document which may throw doubts op pooq\y claim(s) or which is 
cited to establish the publicafion date rOfkWher /citation or other 
special reason (as specified) J \J t 

"O" document referring t<> an oral disclosurc,j0s<O:xhihhi(ml>r <)lhcr 

*P* document published prior to the international filing date hut later IhJm 
the priority dale daimcd 


later document published after the intcmaUrnSal filing dale or priority 
date and not in conflict, with the application hut cited lo understand 
the principle or theory underlying the invention 

"X" document of particular relevance: the claimed invention cannot be 
considered novel or cannot he considered lo involve an inventive 
step when the document is lakcn alone 

. . ; 7 1 . ; ; i 

~Y" document of* particular relevance: the claimed invention cannot be 

; V consfdcfcdlo involve an inventive step when the document is 
O 1 c y m [)incd|wilh one or more other such documents, such combination 
/ hclng'onvious to a person skilled in the art 

di>cumcnl member of the same patent family 


Date of the actual completion of the international search 


Dale of mailing of the international search report 


21 Aoril 1999 


2 2 -04- 1999 


Name and mailing address of the ISA/ 
Swedish Patent Office 
Box 5055, S-102 42 STOCKHOLM 
Facsimile No. +46 8 666 02 86 


Authorized officer 

Bengt Romedahl 

Telephone No. + 46 H 7X2 25 »() 



Form PCT/ISA/210 (second sheet) (July 1992) 



INTERNATIONAL SEARCH REPORT 

Information on palcril family members 



02/03/99 



lntci national application No. 

PCT/IB 98/01255 



Patent document 


Publication 




Patent family 


Publication 


cited in search report 


dale 




mcmbur(s) 


dale 


IIC C1££Q~7Q A 

Ub Dlbby/o A 


o>i /i 1 /no 


nc 
Uh 


eoiancoi n 
byiaUbm U 


nn /fin /oo 
UU/UU/UU 






rn 

hH 


U44oo/y A,D 


0Q /HQ /Ol 










On /HQ /Q1 






JP 


4216588 A 


06/08/92 


IK £A7QC;i1 A 


OC/1 0 /QC 


Al 1 
AU 


9QQ0CQ0 A 
4000036 A 


0,7 /0£/Q3 






ut 


AQ01QQC1 n T 


OA /CM /Q7 






CD 

tr 


ogi 1 a n 


PA/Oft/QA 
£*f/ UO/ 






CQ 


?i oi 1 ?a t 


01 /07 /Q7 






CP 
JU 


AA7 1 A A 


1Q/1P/Q7 






wu 






US 5604805 A 


18/07/97 

10/ Ut./ J / 


Al) 


7709^94 A 


28/02/95 






CA 


2168658 A 


09/02/95 






NL 


9301348 A 


01/03/95 






NL 


9302103 A 


03/07/95 






US 


5521980 A 


28/05/96 






US 


5668878 A 


16/09/97 






US 


5696827 A 


09/12/97 






WO 


9504417 A 


09/02/95 



DOCKET NO- SAZLinoanintL 

SERIAL N0:__, 

APPLICANT: Jsfc^ IkeLehd 
LERNER AND GREENBERG PA. 

RO. BOX 2480 
HOLLYWOOD, FLORIDA 33022 
TEL (954) 925-1100 



Porm PCr/ISA/210 (patent family annex) (July IW2) 



